Latest patch from metze <metze@metzemix.de> to move most of samba across

to using SIDs instead of RIDs.

The new funciton sid_peek_check_rid() takes an 'expected domain sid' argument.

The idea here is to prevent mistakes where the SID is implict, but isn't
the same one that we have in the struct.

Andrew Bartlett
(This used to be commit 04f9a8ff4c7982f6597c0f6748f85d66d4784901)

diff --git a/source3/include/smb.h b/source3/include/smb.h
index c6045991800a1ac1bf0d484bfb31e8edf09c4ab5..531f270c3dabfd6b1bf3df929dc0a92f592f9e6c 100644 (file)
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -624,8 +624,8 @@ typedef struct sam_passwd
                
                uid_t uid;          /* this is a unix uid_t */
                gid_t gid;          /* this is a unix gid_t */
-               uint32 user_rid;    /* Primary User ID */
-               uint32 group_rid;   /* Primary Group ID */
+               DOM_SID user_sid;    /* Primary User SID */
+               DOM_SID group_sid;   /* Primary Group SID */
                
                DATA_BLOB lm_pw; /* .data is Null if no password */
                DATA_BLOB nt_pw; /* .data is Null if no password */

diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index 21ef9e081b4484ff480b581da9463c7af0c3aa25..3ad9e909d8767ba04451965207baa0e88977c4d2 100644 (file)
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -1,10 +1,11 @@
 /* 
    Unix SMB/CIFS implementation.
    Samba utility functions
-   Copyright (C) Andrew Tridgell 1992-1998
-   Copyright (C) Luke Kenneth Caseson Leighton 1998-1999
-   Copyright (C) Jeremy Allison  1999
-   
+   Copyright (C) Andrew Tridgell               1992-1998
+   Copyright (C) Luke Kenneth Caseson Leighton         1998-1999
+   Copyright (C) Jeremy Allison                1999
+   Copyright (C) Stefan (metze) Metzmacher     2002
+      
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
@@ -253,6 +254,9 @@ BOOL sid_split_rid(DOM_SID *sid, uint32 *rid)
 
 BOOL sid_peek_rid(DOM_SID *sid, uint32 *rid)
 {
+       if (!sid || !rid)
+               return False;           
+       
        if (sid->num_auths > 0) {
                *rid = sid->sub_auths[sid->num_auths - 1];
                return True;
@@ -260,6 +264,25 @@ BOOL sid_peek_rid(DOM_SID *sid, uint32 *rid)
        return False;
 }
 
+/*****************************************************************
+ Return the last rid from the end of a sid
+ and check the sid against the exp_dom_sid  
+*****************************************************************/  
+
+BOOL sid_peek_check_rid(DOM_SID *exp_dom_sid,DOM_SID *sid, uint32 *rid)
+{
+       if (!exp_dom_sid || !sid || !rid)
+               return False;
+                       
+
+       if (sid_compare_domain(exp_dom_sid, sid)!=0){
+               *rid=(-1);
+               return False;
+       }
+       
+       return sid_peek_rid(sid,rid);
+}
+
 /*****************************************************************
  Copies a sid
 *****************************************************************/  

diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c
index 545ee411a449f069cd24d2883de67c64cc953352..28aeb397303972c2b117e8fa842caf5ef619b696 100644 (file)
--- a/source3/nsswitch/winbindd_ads.c
+++ b/source3/nsswitch/winbindd_ads.c
@@ -273,7 +273,7 @@ static NTSTATUS query_user_list(struct winbindd_domain *domain,
                        continue;
                }
 
-               if (!sid_peek_rid(&sid, &rid)) {
+               if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
                        DEBUG(1,("No rid for %s !?\n", name));
                        continue;
                }
@@ -356,7 +356,7 @@ static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
                        continue;
                }
 
-               if (!sid_peek_rid(&sid, &rid)) {
+               if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
                        DEBUG(1,("No rid for %s !?\n", name));
                        continue;
                }
@@ -584,7 +584,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
                goto done;
        }
        
-       if (!sid_peek_rid(&sid, &info->user_rid)) {
+       if (!sid_peek_check_rid(&domain->sid,&sid, &info->user_rid)) {
                DEBUG(1,("No rid for %d !?\n", user_rid));
                goto done;
        }
@@ -662,7 +662,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
 
        for (i=1;i<count;i++) {
                uint32 rid;
-               if (!sid_peek_rid(&sids[i-1], &rid)) continue;
+               if (!sid_peek_check_rid(&domain->sid, &sids[i-1], &rid)) continue;
                (*user_gids)[*num_groups] = rid;
                (*num_groups)++;
        }
@@ -737,7 +737,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
                        DEBUG(1,("No sid for %s !?\n", (*names)[*num_names]));
                        continue;
                }
-               if (!sid_peek_rid(&sid, &rid)) {
+               if (!sid_peek_check_rid(&domain->sid, &sid, &rid)) {
                        DEBUG(1,("No rid for %s !?\n", (*names)[*num_names]));
                        continue;
                }

diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c
index dcb93fa3b593491239a440dbd132c136c4bbcb5f..d9ed63baf8d34020d23c69cc39be9fbcd9d6a318 100644 (file)
--- a/source3/nsswitch/winbindd_cache.c
+++ b/source3/nsswitch/winbindd_cache.c
@@ -658,7 +658,8 @@ static NTSTATUS sid_to_name(struct winbindd_domain *domain,
        NTSTATUS status;
        uint32 rid = 0;
 
-       sid_peek_rid(sid, &rid);
+       if (!sid_peek_check_rid(&domain->sid, sid, &rid))
+               return NT_STATUS_INVALID_PARAMETER;
 
        if (!cache->tdb) goto do_query;
 

diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c
index 4ef57513bb0fc3e8e5c5be89d8b86b540d1034a9..ab8e1cfd7847d8eddc400ef1be1df5f10efe1fcc 100644 (file)
--- a/source3/nsswitch/winbindd_group.c
+++ b/source3/nsswitch/winbindd_group.c
@@ -228,7 +228,8 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state)
        }
 
        /* Fill in group structure */
-       sid_peek_rid(&group_sid, &group_rid);
+       if (!sid_peek_check_rid(&domain->sid, &group_sid, &group_rid))
+               return WINBINDD_ERROR;
 
        if (!winbindd_idmap_get_gid_from_sid(&group_sid, &gid)) {
                DEBUG(1, ("error converting unix gid to sid\n"));

diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 154963e2a0a25cf6571ae533cdddafacd6dbcb33..31bbf14299f4842ed8563989bd986b0218669776 100644 (file)
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -156,7 +156,6 @@ NTSTATUS pdb_init_sam(SAM_ACCOUNT **user)
 NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd)
 {
        GROUP_MAP map;
-       uint32 rid;
 
        if (!pwd) {
                return NT_STATUS_UNSUCCESSFUL;
@@ -184,18 +183,25 @@ NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd)
           -- abartlet 11-May-02
        */
 
-       pdb_set_user_rid(sam_account, 
-                        fallback_pdb_uid_to_user_rid(pwd->pw_uid));
+       if (!pdb_set_user_sid_from_rid(sam_account, 
+                        fallback_pdb_uid_to_user_rid(pwd->pw_uid))) {
+               DEBUG(0,("Can't set User SID from RID!\n"));
+               return NT_STATUS_INVALID_PARAMETER;
+       }
 
        /* call the mapping code here */
        if(get_group_map_from_gid(pwd->pw_gid, &map, MAPPING_WITHOUT_PRIV)) {
-               sid_peek_rid(&map.sid, &rid);
+               if (!pdb_set_group_sid(sam_account,&map.sid)){
+                       DEBUG(0,("Can't set Group SID!\n"));
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
        } 
        else {
-               rid=pdb_gid_to_group_rid(pwd->pw_gid);
+               if (!pdb_set_group_sid_from_rid(sam_account,pdb_gid_to_group_rid(pwd->pw_gid))) {
+                       DEBUG(0,("Can't set Group SID\n"));
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
        }
-               
-       pdb_set_group_rid(sam_account, rid);
 
        /* check if this is a user account or a machine account */
        if (pwd->pw_name[strlen(pwd->pw_name)-1] != '$')
@@ -455,39 +461,6 @@ BOOL pdb_gethexpwd(const char *p, unsigned char *pwd)
        return (True);
 }
 
-#if 0 /* seem it is not used by anyone */
-/*******************************************************************
- Group and User RID username mapping function
- ********************************************************************/
-
-BOOL pdb_name_to_rid(const char *user_name, uint32 *u_rid, uint32 *g_rid)
-{
-       GROUP_MAP map;
-       struct passwd *pw = Get_Pwnam(user_name);
-
-       if (u_rid == NULL || g_rid == NULL || user_name == NULL)
-               return False;
-
-       if (!pw) {
-               DEBUG(1,("Username %s is invalid on this system\n", user_name));
-               return False;
-       }
-
-       /* turn the unix UID into a Domain RID.  this is what the posix
-          sub-system does (adds 1000 to the uid) */
-       *u_rid = fallback_pdb_uid_to_user_rid(pw->pw_uid);
-
-       /* absolutely no idea what to do about the unix GID to Domain RID mapping */
-       /* map it ! */
-       if (get_group_map_from_gid(pw->pw_gid, &map, MAPPING_WITHOUT_PRIV)) {
-               sid_peek_rid(&map.sid, g_rid);
-       } else 
-               *g_rid = pdb_gid_to_group_rid(pw->pw_gid);
-
-       return True;
-}
-#endif /* seem it is not used by anyone */
-
 /*******************************************************************
  Converts NT user RID to a UNIX uid.
  ********************************************************************/
@@ -578,7 +551,11 @@ BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use
        SAM_ACCOUNT *sam_account = NULL;
        GROUP_MAP map;
 
-       sid_peek_rid(sid, &rid);
+       if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid)){
+               DEBUG(0,("local_sid_to_gid: sid_peek_check_rid return False! SID: %s\n",
+                       sid_string_static(&map.sid)));
+               return False;
+       }       
        *psid_name_use = SID_NAME_UNKNOWN;
        
        DEBUG(5,("local_lookup_sid: looking up RID %u.\n", (unsigned int)rid));
@@ -724,10 +701,9 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi
        }
        
        if (pdb_getsampwnam(sam_account, user)) {
-               sid_append_rid( &local_sid, pdb_get_user_rid(sam_account));
+               sid_copy(psid, (DOM_SID *) pdb_get_user_sid(sam_account));
                *psid_name_use = SID_NAME_USER;
                
-               sid_copy( psid, &local_sid);
                pdb_free_sam(&sam_account);
                return True;
        }
@@ -800,7 +776,7 @@ DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid)
                }
                
                if (pdb_getsampwnam(sam_user, pass->pw_name)) {
-                       sid_append_rid(psid, pdb_get_user_rid(sam_user));
+                       sid_copy(psid, (DOM_SID *) pdb_get_user_sid(sam_user));
                } else {
                        sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid));
                }
@@ -920,7 +896,11 @@ BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type)
                if (map.gid==-1)
                        return False;
 
-               sid_peek_rid(&map.sid, &rid);
+               if (!sid_peek_check_rid(get_global_sam_sid(), &map.sid, &rid)){
+                       DEBUG(0,("local_sid_to_gid: sid_peek_check_rid return False! SID: %s\n",
+                               sid_string_static(&map.sid)));
+                       return False;
+               }
                *pgid = map.gid;
                *name_type = map.sid_name_use;
                DEBUG(10,("local_sid_to_gid: mapped SID %s (%s) -> gid (%u).\n", sid_to_string( str, psid),
@@ -996,9 +976,9 @@ void copy_id23_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_23 *from)
                pdb_set_munged_dial(to   , pdb_unistr2_convert(&from->uni_munged_dial ));
 
        if (from->user_rid)
-               pdb_set_user_rid(to, from->user_rid);
+               pdb_set_user_sid_from_rid(to, from->user_rid);
        if (from->group_rid)
-               pdb_set_group_rid(to, from->group_rid);
+               pdb_set_group_sid_from_rid(to, from->group_rid);
 
        pdb_set_acct_ctrl(to, from->acb_info);
        pdb_set_unknown_3(to, from->unknown_3);
@@ -1051,9 +1031,9 @@ void copy_id21_to_sam_passwd(SAM_ACCOUNT *to, SAM_USER_INFO_21 *from)
                pdb_set_munged_dial(to   , pdb_unistr2_convert(&from->uni_munged_dial ));
 
        if (from->user_rid)
-               pdb_set_user_rid(to, from->user_rid);
+               pdb_set_user_sid_from_rid(to, from->user_rid);
        if (from->group_rid)
-               pdb_set_group_rid(to, from->group_rid);
+               pdb_set_group_sid_from_rid(to, from->group_rid);
 
        /* FIXME!!  Do we need to copy the passwords here as well?
           I don't know.  Need to figure this out   --jerry */

diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c
index 5ed54a985724a5a3046f211f78252c42a42e27ec..0b5a1053ae5dac260cea8fe4b12029fe25392777 100644 (file)
--- a/source3/passdb/pdb_get_set.c
+++ b/source3/passdb/pdb_get_set.c
@@ -5,6 +5,7 @@
    Copyright (C) Luke Kenneth Casson Leighton  1996-1998
    Copyright (C) Gerald (Jerry) Carter         2000-2001
    Copyright (C) Andrew Bartlett               2001-2002
+   Copyright (C) Stefan (metze) Metzmacher     2002
       
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -155,21 +156,41 @@ const char* pdb_get_plaintext_passwd (const SAM_ACCOUNT *sampass)
        else
                return (NULL);
 }
+const DOM_SID *pdb_get_user_sid(const SAM_ACCOUNT *sampass)
+{
+       if (sampass) 
+               return &sampass->private.user_sid;
+       else
+               return (NULL);
+}
+
+const DOM_SID *pdb_get_group_sid(const SAM_ACCOUNT *sampass)
+{
+       if (sampass)
+               return &sampass->private.group_sid;
+       else    
+               return (NULL);
+}      
 
 uint32 pdb_get_user_rid (const SAM_ACCOUNT *sampass)
 {
+       uint32 u_rid;
+
        if (sampass)
-               return (sampass->private.user_rid);
-       else
-               return (-1);
+               if (sid_peek_check_rid(get_global_sam_sid(), (DOM_SID *) pdb_get_user_sid(sampass),&u_rid))
+                       return u_rid;
+       
+       return (-1);
 }
 
 uint32 pdb_get_group_rid (const SAM_ACCOUNT *sampass)
 {
+       uint32 g_rid;
+
        if (sampass)
-               return (sampass->private.group_rid);
-       else
-               return (-1);
+               if (sid_peek_check_rid(get_global_sam_sid(), (DOM_SID *) pdb_get_group_sid(sampass),&g_rid))
+                       return g_rid;
+       return (-1);
 }
 
 /**
@@ -487,27 +508,71 @@ BOOL pdb_set_gid (SAM_ACCOUNT *sampass, const gid_t gid)
 
 }
 
-BOOL pdb_set_user_rid (SAM_ACCOUNT *sampass, uint32 rid)
+BOOL pdb_set_user_sid (SAM_ACCOUNT *sampass, DOM_SID *u_sid)
+{
+       if (!sampass || !u_sid)
+               return False;
+       
+       sid_copy(&sampass->private.user_sid, u_sid);
+
+       DEBUG(10, ("pdb_set_user_sid: setting user sid %s\n", 
+                   sid_string_static(&sampass->private.user_sid)));
+       
+       return True;
+}
+
+BOOL pdb_set_group_sid(SAM_ACCOUNT *sampass, DOM_SID *g_sid)
 {
+       if (!sampass || !g_sid)
+               return False;
+
+       sid_copy(&sampass->private.group_sid, g_sid);
+
+       DEBUG(10, ("pdb_set_group_sid: setting group sid %s\n", 
+                   sid_string_static(&sampass->private.group_sid)));
+
+       return True;
+}
+
+BOOL pdb_set_user_sid_from_rid (SAM_ACCOUNT *sampass, uint32 rid)
+{
+       DOM_SID u_sid;
+
        if (!sampass)
                return False;
 
-       DEBUG(10, ("pdb_set_rid: setting user rid %d, was %d\n", 
-                  rid, sampass->private.user_rid));
- 
-       sampass->private.user_rid = rid;
+       sid_copy(&u_sid, get_global_sam_sid());
+
+       if (!sid_append_rid(&u_sid, rid))
+               return False;
+
+       if (!pdb_set_user_sid(sampass, &u_sid))
+               return False;
+
+       DEBUG(10, ("pdb_set_user_sid_from_rid:\n\tsetting user sid %s from rid %d\n", 
+                   sid_string_static(&u_sid),rid));
+
        return True;
 }
 
-BOOL pdb_set_group_rid (SAM_ACCOUNT *sampass, uint32 grid)
+BOOL pdb_set_group_sid_from_rid (SAM_ACCOUNT *sampass, uint32 grid)
 {
+       DOM_SID g_sid;
+
        if (!sampass)
                return False;
+       
+       sid_copy(&g_sid, get_global_sam_sid());
+       
+       if (!sid_append_rid(&g_sid, grid))
+               return False;
+
+       if (!pdb_set_group_sid(sampass, &g_sid))
+               return False;
+
+       DEBUG(10, ("pdb_set_group_sid_from_rid:\n\tsetting group sid %s from rid %d\n", 
+                   sid_string_static(&g_sid), grid));
 
-       DEBUG(10, ("pdb_set_group_rid: setting group rid %d, was %d\n", 
-                  grid, sampass->private.group_rid));
- 
-       sampass->private.group_rid = grid;
        return True;
 }
 

diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index 28c08e0f631e0bad10f73b1ffdaf0dcce5d8c983..7ba8d4a81017952c468d14b1e60575077cef5581 100644 (file)
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -624,7 +624,8 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
                        GROUP_MAP map;
                        /* call the mapping code here */
                        if(get_group_map_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) {
-                               sid_peek_rid(&map.sid, &group_rid);
+                               if (!sid_peek_check_rid(get_global_sam_sid(), &map.sid, &group_rid))
+                                       return False;
                        } 
                        else {
                                group_rid=pdb_gid_to_group_rid(gid);
@@ -780,8 +781,8 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
        pdb_set_hours_len(sampass, hours_len);
        pdb_set_logon_divs(sampass, logon_divs);
 
-       pdb_set_user_rid(sampass, user_rid);
-       pdb_set_group_rid(sampass, group_rid);
+       pdb_set_user_sid_from_rid(sampass, user_rid);
+       pdb_set_group_sid_from_rid(sampass, group_rid);
 
        pdb_set_username(sampass, username);
 
@@ -1273,7 +1274,8 @@ static BOOL ldapsam_getsampwrid(struct pdb_methods *my_methods, SAM_ACCOUNT * us
 static BOOL ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, DOM_SID *sid)
 {
        uint32 rid;
-       sid_peek_rid(sid, &rid);
+       if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
+               return False;
        return ldapsam_getsampwrid(my_methods, user, rid);
 }      
 

diff --git a/source3/passdb/pdb_nisplus.c b/source3/passdb/pdb_nisplus.c
index 0c4c2c5bb35ef9ee8c63bb8d28ce4f661b145b5c..80f918d1a6c801e2a6813bd38b6d7804a5f7f1d4 100644 (file)
--- a/source3/passdb/pdb_nisplus.c
+++ b/source3/passdb/pdb_nisplus.c
@@ -339,8 +339,8 @@ static BOOL make_sam_from_nisp_object(SAM_ACCOUNT *pw_buf, const nis_object *obj
 
   pdb_set_uid(pw_buf, atoi(ENTRY_VAL(obj, NPF_UID)));
   pdb_set_gid(pw_buf, atoi(ENTRY_VAL(obj, NPF_SMB_GRPID)));
-  pdb_set_user_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_USER_RID)));
-  pdb_set_group_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_GROUP_RID)));
+  pdb_set_user_sid_from_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_USER_RID)));
+  pdb_set_group_sid_from_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_GROUP_RID)));
 
   /* values, must exist for user */
   if( !(pdb_get_acct_ctrl(pw_buf) & ACB_WSTRUST) ) {
@@ -381,7 +381,7 @@ static BOOL make_sam_from_nisp_object(SAM_ACCOUNT *pw_buf, const nis_object *obj
   else 
   {
     /* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here. */
-    pdb_set_group_rid (pw_buf, DOMAIN_GROUP_RID_USERS); 
+    pdb_set_group_sid_from_rid (pw_buf, DOMAIN_GROUP_RID_USERS); 
   }
 
   /* Check the lanman password column. */
@@ -538,7 +538,8 @@ static BOOL init_nisp_from_sam(nis_object *obj, const SAM_ACCOUNT *sampass,
 
                if (rid==0) {
                        if (get_group_map_from_gid(pdb_get_gid(sampass), &map, MAPPING_WITHOUT_PRIV)) {
-                               sid_peek_rid(&map.sid, &rid);
+                               if (!sid_peek_check_rid(get_global_sam_sid(), &map.sid, &rid))
+                                       return False;
                        } else 
                                rid=pdb_gid_to_group_rid(pdb_get_gid(sampass));
                }
@@ -1034,7 +1035,8 @@ BOOL pdb_getsampwnam(SAM_ACCOUNT * user, const char *sname)
 BOOL pdb_getsampwsid(SAM_ACCOUNT * user, DOM_SID *sid)
 {
        uint32 rid;
-       sid_peek_rid(sid, &rid);
+       if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
+               return False;
        return pdb_getsampwrid(user, rid);
 }
 

diff --git a/source3/passdb/pdb_smbpasswd.c b/source3/passdb/pdb_smbpasswd.c
index a6bd66eacee0731cbe1d9b87ce9b0d938e90e32c..25957100d87e30fa0930a3ae8dc16d43a53233eb 100644 (file)
--- a/source3/passdb/pdb_smbpasswd.c
+++ b/source3/passdb/pdb_smbpasswd.c
@@ -1242,14 +1242,14 @@ static BOOL build_sam_account(struct smbpasswd_privates *smbpasswd_state,
            && (pw_buf->smb_userid >= smbpasswd_state->low_nua_userid) 
            && (pw_buf->smb_userid <= smbpasswd_state->high_nua_userid)) {
 
-               pdb_set_user_rid(sam_pass, fallback_pdb_uid_to_user_rid (pw_buf->smb_userid));
+               pdb_set_user_sid_from_rid(sam_pass, fallback_pdb_uid_to_user_rid (pw_buf->smb_userid));
 
                /* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here. 
                   
                   This was down the bottom for machines, but it looks pretty good as
                   a general default for non-unix users. --abartlet 2002-01-08
                */
-               pdb_set_group_rid (sam_pass, DOMAIN_GROUP_RID_USERS); 
+               pdb_set_group_sid_from_rid (sam_pass, DOMAIN_GROUP_RID_USERS); 
                pdb_set_username (sam_pass, pw_buf->smb_name);
                pdb_set_domain (sam_pass, lp_workgroup());
        } else {
@@ -1458,7 +1458,8 @@ static BOOL smbpasswd_getsampwrid(struct pdb_methods *my_methods, SAM_ACCOUNT *s
 static BOOL smbpasswd_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, DOM_SID *sid)
 {
        uint32 rid;
-       sid_peek_rid(sid, &rid);
+       if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
+               return False;
        return smbpasswd_getsampwrid(my_methods, user, rid);
 }
 

diff --git a/source3/passdb/pdb_tdb.c b/source3/passdb/pdb_tdb.c
index 2341210e39218818d3fd00ba9d54192b04e76406..b309f675b355e753861419a960474b7a5013b6bb 100644 (file)
--- a/source3/passdb/pdb_tdb.c
+++ b/source3/passdb/pdb_tdb.c
@@ -246,8 +246,8 @@ static BOOL init_sam_from_buffer (struct tdbsam_privates *tdb_state,
                }
        }
 
-       pdb_set_user_rid(sampass, user_rid);
-       pdb_set_group_rid(sampass, group_rid);
+       pdb_set_user_sid_from_rid(sampass, user_rid);
+       pdb_set_group_sid_from_rid(sampass, group_rid);
        pdb_set_unknown_3(sampass, unknown_3);
        pdb_set_hours_len(sampass, hours_len);
        pdb_set_unknown_5(sampass, unknown_5);
@@ -671,7 +671,8 @@ static BOOL tdbsam_getsampwrid (struct pdb_methods *my_methods, SAM_ACCOUNT *use
 static BOOL tdbsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, DOM_SID *sid)
 {
        uint32 rid;
-       sid_peek_rid(sid, &rid);
+       if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
+               return False;
        return tdbsam_getsampwrid(my_methods, user, rid);
 }
 
@@ -775,7 +776,7 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd,
                                                goto done;
                                        }
                                }
-                               pdb_set_user_rid(newpwd, user_rid);
+                               pdb_set_user_sid_from_rid(newpwd, user_rid);
                        } else {
                                user_rid = tdb_state->low_nua_rid;
                                tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "NUA_RID_COUNTER", &user_rid, RID_MULTIPLIER);
@@ -788,7 +789,7 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd,
                                        ret = False;
                                        goto done;
                                }
-                               pdb_set_user_rid(newpwd, user_rid);
+                               pdb_set_user_sid_from_rid(newpwd, user_rid);
                        }
                } else {
                        DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a RID\n",pdb_get_username(newpwd)));
@@ -805,7 +806,7 @@ static BOOL tdb_update_sam(struct pdb_methods *my_methods, SAM_ACCOUNT* newpwd,
                                goto done;
                        } else {
                                /* This seems like a good default choice for non-unix users */
-                               pdb_set_group_rid(newpwd, DOMAIN_GROUP_RID_USERS);
+                               pdb_set_group_sid_from_rid(newpwd, DOMAIN_GROUP_RID_USERS);
                        }
                } else {
                        DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a primary group RID\n",pdb_get_username(newpwd)));

diff --git a/source3/passdb/pdb_unix.c b/source3/passdb/pdb_unix.c
index 85ff5bd9338714d9f4cc7b320d152451cbe79d55..b4092b88f8acbe053e2dae685d21bb5e84598283 100644 (file)
--- a/source3/passdb/pdb_unix.c
+++ b/source3/passdb/pdb_unix.c
@@ -68,7 +68,8 @@ static BOOL unixsam_getsampwrid (struct pdb_methods *methods,
 static BOOL unixsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, DOM_SID *sid)
 {
        uint32 rid;
-       sid_peek_rid(sid, &rid);
+       if (!sid_peek_check_rid(get_global_sam_sid(), sid, &rid))
+               return False;
        return unixsam_getsampwrid(my_methods, user, rid);
 }
 

diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index daa39b215fead53e43bcbc660c651c880ab6d733..a6f936fecafeb8c1c352ffcc9b9ee9b243bfdcf5 100644 (file)
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -2019,18 +2019,9 @@ NTSTATUS _api_samr_create_user(pipes_struct *p, SAMR_Q_CREATE_USER *q_u, SAMR_R_
                return NT_STATUS_ACCESS_DENIED;         
        }
        
-       /* Get the domain SID stored in the domain policy */
-       if(!get_lsa_policy_samr_sid(p, &dom_pol, &sid)) {
-               pdb_free_sam(&sam_pass);
-               return NT_STATUS_INVALID_HANDLE;
-       }
-
-       /* append the user's RID to it */
-       if(!sid_append_rid(&sid, pdb_get_user_rid(sam_pass) )) {
-               pdb_free_sam(&sam_pass);
-               return NT_STATUS_NO_SUCH_USER;
-       }
-
+       /* Get the user's SID */
+       sid_copy(&sid, (DOM_SID *) pdb_get_user_sid(sam_pass));
+       
        /* associate the user's SID with the new handle. */
        if ((info = get_samr_info_by_sid(&sid)) == NULL) {
                pdb_free_sam(&sam_pass);

diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c
index 51254667c9bfc9c42f1cba84f6c2ae17c44107d1..ed7f648f2dd9313ff97f34f409175cade835569d 100644 (file)
--- a/source3/utils/pdbedit.c
+++ b/source3/utils/pdbedit.c
@@ -81,10 +81,12 @@ static int print_sam_info (SAM_ACCOUNT *sam_pwent, BOOL verbosity, BOOL smbpwdst
                if (IS_SAM_UNIX_USER(sam_pwent)) {
                        uid = pdb_get_uid(sam_pwent);
                        gid = pdb_get_gid(sam_pwent);
-                       printf ("user ID/Group:        %d/%d\n", uid, gid);
+                       printf ("User ID/Group ID:     %d/%d\n", uid, gid);
                }
-               printf ("user RID/GRID:        %u/%u\n", (unsigned int)pdb_get_user_rid(sam_pwent),
-                       (unsigned int)pdb_get_group_rid(sam_pwent));
+               printf ("User SID:             %s\n",
+                       sid_string_static((DOM_SID *)pdb_get_user_sid(sam_pwent)));
+               printf ("Primary Group SID:    %s\n",
+                       sid_string_static((DOM_SID *)pdb_get_group_sid(sam_pwent)));
                printf ("Full Name:            %s\n", pdb_get_fullname(sam_pwent));
                printf ("Home Directory:       %s\n", pdb_get_homedir(sam_pwent));
                printf ("HomeDir Drive:        %s\n", pdb_get_dirdrive(sam_pwent));
@@ -329,7 +331,7 @@ static int new_machine (struct pdb_context *in, char *machinename)
        
        pdb_set_acct_ctrl (sam_pwent, ACB_WSTRUST);
        
-       pdb_set_group_rid(sam_pwent, DOMAIN_GROUP_RID_COMPUTERS);
+       pdb_set_group_sid_from_rid(sam_pwent, DOMAIN_GROUP_RID_COMPUTERS);
        
        if (in->pdb_add_sam_account (in, sam_pwent)) {
                print_user_info (in, name, True, False);